Allow
The HTTP Allow response header lists the HTTP Methods supported by the target resource.
Usage
Servers include Allow to communicate which request Methods a resource supports. The header is required in 405 Method Not Allowed responses, where the server informs the client about the valid methods for the requested URI.
The header also appears in responses to OPTIONS requests. An OPTIONS request asks the server to describe the communication options available for a resource, and Allow provides the list of permitted methods in the response.
The value is a comma-separated list of standard HTTP method names. The list reflects the methods the resource accepts at the time of the response. An empty Allow header signals no methods are currently accepted, which occurs when a server temporarily restricts access to a resource.
The Allow header describes the target resource, not the server as a whole. Different resources on the same server often support different sets of methods. A collection endpoint might accept GET and POST, while an individual resource supports GET, PUT, and DELETE.
Directives
method-list
A comma-separated list of HTTP method names. Common values include:
GET: retrieve the resourceHEAD: retrieve headers without a bodyPOST: submit data to the resourcePUT: replace the resourcePATCH: partially modify the resourceDELETE: remove the resourceOPTIONS: describe communication options
Allow: GET, HEAD, POST
Example
A client sends a DELETE request to a resource supporting only GET and POST. The server responds with 405 and includes the Allow header listing the valid methods.
HTTP/1.1 405 Method Not Allowed
Allow: GET, POST
Content-Type: application/json
A response to an OPTIONS request shows all methods the resource accepts. The HEAD method is implicitly available when GET is supported.
HTTP/1.1 200 OK
Allow: GET, HEAD, PUT, DELETE
Content-Length: 0
A 201 Created response after a POST includes Allow to indicate the methods available on the newly created resource.
HTTP/1.1 201 Created
Location: /items/42
Allow: GET, PUT, DELETE
Takeaway
The Allow header declares which HTTP Methods a resource supports. Servers include this header in 405 responses and OPTIONS responses to guide clients toward valid request methods.
